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ABSTRACT 



A supplier device 70 which supplies title data is equipped 
with a encryption module 74 for performing an encryption 
which is substitutive in nature and the user device 90 which 
uses the title data is equipped with a decryption module 93 
for performing a decryption which corresponds to the 
encryption. The supplier device 70 uses this encryption 
module 74 to prove its own authorization and authenticate 
other devices. Similarly, the user device 90 uses this decryp- 
tion module 93 to prove its own authorization and authen- 
ticate other devices. 

22 Claims, 10 Drawing Sheets 
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COMMUNICATION DEVICE WHICH 
PERFORMS TWO-WAY ENCRYPTION 
AUTHENTICATION IN CHALLENGE 
RESPONSE FORMAT 

BACKGROUND OF THE INVENTION 

1. Field of the Invention 

The present invention relates to communication devices 
which authenticate each other using encryption before per- 
forming data communication. 

2. Description of the Prior Art 

When performing data communication, there are many 
instances when it is necessary to take protective measures 
against unauthorized copying or alteration of data. 

In the example shown in FIG. 1, this relates to the optical 
disc reproduction device 10 reading a title such as a movie 
from the optical disc 13 and distributing a copy of the title 
via the network 11 to only the authorized movie reproduc- 
tion device 12, at the same time preventing eavesdropping 
by unauthorized movie reproduction device 14. 

Secret communication where two-way authentication is 
performed in "Challenge Response" format provides one 
method where data communication is restricted to the supply 
of data from communication devices which have the author- 
ity to distribute data (hereinafter referred to as supplier 
devices) to communication devices which are authorized to 
receive the data (hereinafter referred to as authorized user 
devices), with other communication devices being excluded 
from the communication. The procedure for this land of 
communication can be broadly divided into the following 
two steps. 

1. Authentication Step 

Before executing data communication, both devices 
verify that the device with which they are in contact is an 
authorized device. This is performed to prevent unautho- 
rized communication devices from becoming an authorized 
supplier device or an authorized user device. 

This confirmation is performed using encryption and 
consists of three main procedures. First, a first device 
transmits challenge data to the second device. The second 
device then proves its authorization for this challenge data 
and replies using response data. Finally, the first device 
verifies this response data. 

2. Secret Communication Step 

Secret communication of the object data is only per- 
formed when the authentication has been achieved in the 
previous step. This is to prevent eavesdropping during data 
transfer by third communication device. An example of a 
conventional technique for performing secret communica- 
tion with two-way authentication performed in "Challenge 
Response"format is a communication system standardized 
using International Organization for Standardization/ 
International Electrotechnical Commission (ISO/IEC) 
97892-2. 

FIG, 2 shows the communication sequence performed 
when an authorized supplier device 15 transmits a copy of 
a title in its possession to an authorized user device accord- 
ing to the above conventional technique. Here, steps S21 to 
S33 in the drawing correspond to the authentication step 
described above, with steps S34 to S36 corresponding to the 
aforementioned secret communication step. Each of those 
steps in the drawing are described in more detail below. 
Steps S21, S22 

First, the authorized supplier device 15 generates a ran- 
dom number Rl and transmits it to the authorized user 
device 16 as challenge data CHA1. 
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Steps S23, S24 

On receiving the challenge data CHA1, the authorized 
user device 16 generates a random number R2 as challenge 
date for the supplier device 15, and links these two as the 

5 data CHA1||R2. It then sets this linked data (CHA1||R2) as 
plaintext and performs a first encryption E 2 according to the 
first encryption algorithm using an authentication key Kl, 
which is provided beforehand only to authorized devices, as 
the encryption key. It then sends the resulting cryptogram E^ 

10 (Kl, CHA1||R2) to the supplier device 15. 

It should be noted here that this cryptogram RESCHA is 
both the response data in reply to the challenge data CHA1 
sent from the supplier device 15 and the challenge data for 
the supplier device 15. 

15 Step S25 

On receiving this date RESCHA, the supplier device 15 
sets it as a cryptogram and performs the first decryption D x 
according to the first encryption algorithm, using the authen- 
tication key Kl, which is provided beforehand only to 
20 authorized devices, as the decryption key. 

It should be noted here that the decryption D 1 is a reversal 
of the process in the encryption Ej according to the first 
encryption algorithm. 
Step S26 

25 Next, the supplier device 15 performs a reversal of the 
process in step S23 for the result XI of the decryption D u 
which is to say it performs separation to obtain separated 
data RR1 which corresponds to challenge data CHA1 and 
separated data RR2 which corresponds to random number 

30 R2. 
Step S27 

The supplier device 15 then compares the separated data 
RR1 with the random number Rl generated in step S22. 

If, as a result, the numbers coincide, the supplier device 
35 15 verifies that user device 16 is authorized. This is based on 
the observation that both devices are in possession of the 
authentication key Kl which is only known by authorized 
devices. 

If, on the other hand, the numbers do not coincide, the 

40 supplier device 15 regards the user device 16 as not autho- 
rized and cancels the remaining processes. 
Steps S26, S29 

The supplier device 15, having authenticated the device 
with which it is in communication in the above steps, next 

45 moves o nto generating a. new random number K for use 
during secret communication and links this to separated!! ata 
RR2. It then sets this linked data (RR2||K) as plaintext end 
performs a first encryption E 1 according to a first encryption 
algorithm using a second authentication key^ K2, wfiicrT is 

50 pTOv1de^n5eTorenana~onl5rtb^mh^"z^^evices, as the 
encryption key. It then sends the resulting cryptogram Ej 
(K2, RR2||K) to the user device 16. 

It should be noted here that this cryptogram (RES2) 
serves as both the response data in reply to the challenge 

55 data RESCHA sent from the user device 16 and as the 
distribution of the shared key K for secret communication. 
Step S30 

On receiving this data RES2, the user device 16 sets it as 
a cryptogram and performs a decryption D 1 according to the 
60 first encryption algorithm using the second authentication 
key I^ provided beforehand as the decryption key. 
Step S31 

Next, the user device 16 performs a reversal of the process 
in step S28 for the result X2 of the decryption D 1? which is 
65 to say it performs separation to obtain separated data RRR2 
which corresponds to response data RR2 and separated data 
KK which corresponds to random number K. 
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Step S32 

The user device 16 then compares the separated data 
RRR2 with the random number R2 generated in step S24. 

If, as a result, the numbers coincide, the user device 16 
confirms that supplier device 15 is authorized. This is based 
on the observation that both devices are in possession of the 
authentication key K2 which is only known by authorized 
devices. It should be noted here that when the separated data 
RRR2 and the random number coincide, the separated data 
KK will be equal to random number K. 

If, on the other hand, the numbers do not coincide, the 
user device 16 regards the supplier device 15 as not autho- 
rized and cancels the remaining processes. 
Step S33 

On authenticating the supplier device 15 in the step given 
above, the user device 16 informs the supplier device 15 of 
this verification. 

By doing so, the two-way authentication is positively 
completed at the same time as the provision of the shared 
key K for the following secret communication is completed. 
Steps S34, S35 

The supplier device 15 then sets a copy of the title as 
plaintext and performs encryption E 2 according to a second 
encryption algorithm using the shared key K as the encryp- 
tion key, before transferring the encrypted title to user device 
16. 

Step S3 6 

On receiving the encrypted title, the user device 16 sets it 
as a cryptogram and performs decryption D 2 according to 
the second encryption algorithm using the shared key K as 
the decryption key. 

It should be noted here that the decryption D 2 is a reversal 
of the process in the encryption E 2 according to -the second 
encryption algorithm. 

By means of the above procedure, a copy of the title in the 
possession of the: authorized supplier device 15 can be 
distributed to the authorized user device 16, with eavesdrop- 
ping by a third communication device during distribution 
being prevented. 

However, there are the following drawbacks with the 
verification method described above. 

(1) In order to perform two-way verification, both devices 
require large-scale logic circuits which prevent reductions in 
the size of the equipment. 

In general, a more complex and hence more secure 
encryption algorithm is used in the authentication step than 
in the Secret communication step. Here, a title comprises a 
huge amount of data, so that while from the viewpoint of 
transfer time it is necessary to perform the encryption and 
decryption of the title in a short time, only a negligible 
amount of date is used by the challenge data and response 
data in comparison to the title data, so that there are no 
effective restrictions on the amount of data used. Moreover, 
it is more important that a complex encryption algorithm of 
high security be used in the authentication step in order to 
improve the overall security of data communication. 

Here, in order to execute the authentication step, both 
devices need to be equipped with an encrypter for executing 
encryption Ej and a decrypter for executing decryption Dj. 

If it is supposed here that each of the encrypter and the 
decrypter is composed of a logic circuit which includes ten 
thousand gates, both devices will need to include logic 
circuits which include over twenty thousand gates in order 
execute two-way authentication. This makes the realization 
of compact, low-cost optical disc reproduction devices and 
image reproduction devices problematic. 

(2) The secret management necessary for maintaining the 
security of two-way authentication is very difficult. 
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In order to maintain the security of two-way 
authentication, the encryption algorithm. In order to do so, 
it is necessary to provide an encrypter and a decrypter only 
to the authorized supplier device 15 and the authorized user 
5 device 16. 

Here, for the aforementioned authentication method, the 
encrypter and the decrypter provided in the supplier device 
15 are the same as those which are be provided in the user 
device 16. As a result, should an unauthorized communica- 

10 tion device succeed in acquiring the encrypter and the 
decrypter provided in a supplier device 15, this unauthorized 
communication device can then be easily used as either a 
supplier device 15 or a user device 16. In the same way, 
should it succeed in acquiring the encrypter and the 

15 decrypter provided in a user device 16, this unauthorized 
communication device can then be easily used as either a 
user device 16 or a supplier device 15. This means that in 
order to maintain the security of two-way authentication, it 
is necessary for the encrypter and decrypter in both the 

20 supplier device 15 and the user device 16 to be protected at 
a same high level of security. 

However, since there are generally far greater number of 
title users than title distributors, it is difficult to maintain 
complete security for the encrypters and decrypters used by 

25 all of the user devices 16, As a result, it is easy for 
unauthorized users to improperly obtain copies of titles or to 
improperly distribute them. 

As one example, suppose "authorization" is set as "con- 
forming to an established standard for optical discs". If in 

30 this case, the encrypter and the decrypter are supplied not 
only to the company which manufactures an optical disc 
reproduction device which conforms to this standard but 
also to a large number of companies which manufacture 
image reproduction devices which conform to the standard. 

35 Since it is necessary here to maintain the secrecy of the 
systems, such secrecy management is highly problematic. 

SUMMARY OF THE INVENTION 

In view of the stated problems, it in a primary object of 
40 the present invention to provide a two-way authentication 
device in challenge response format which can maintain a 
high level of security and which is more compact than 
conventional devices. 

It is a secondary object of the present invention to provide 
45 a two-way authentication device in challenge response for- 
mat which allows simple secrecy management for maintain- 
ing the security Of two-way authentication. 

In order to achieve the above first and second objects, the 
supplier device is equipped with a first authentication key 
50 and a first encrypter, with these being used for both the 
verification of the authorization of other devices and the 
demonstration of the authorization of the present device. In 
the same way, a user device is equipped with a first authen- 
tication key and a decrypter, with these being used for both 
55 the verification of the authorization of other devices and the 
demonstration of the authorization of the present device. 
Here, the encrypter performs an encryption which is substi- 
tutive in nature and the decrypter performs the reverse 
converse of this encryption, with both devices being pro- 
go vided with the same authentication key. 

The present invention is configured so that if the encrypter 
performs an encryption which is substitutive in nature, 
plaintext is returned to its original form not only if decryp- 
tion is performed after first performing encryption but also 
65 if encryption is performed after first performing decryption. 
Due to the above characteristic of the present invention, 
authentication of the user device by a supplier device, which 
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has conventionally been executed by first having a user 
device perform encryption and a supplier device perform 
decryption, can be performed by a user device perform 
decryption and a supplier device perform encryption. By 
doing so, a supplier device need only comprise a single 
encrypter and a user device need only comprise a single 
decrypter to perform the same two-way authentication as 
conventional methods. This is to say, the present invention 
provides a two-way authentication device in challenge 
response format which is more compact than conventional 
devices but which suffers from no lose of security. 

Unlike conventional systems, in the present invention the 
components (encrypter and authentication key) in the sup- 
plier device which need to be kept secret are different to the 
components (decrypter and authentication key) in the user 
device which need to be kept secret, which means that it is 
easier to maintain a high level of security for the two-way 
authentication. This is to say, should an unauthorized com- 
munication device obtain the decrypter and authentication 
key, while such communication device may be used as a user 
device it cannot be used as a supplier device. This means that 
by maintaining an extremely high level of security for 
secrecy management of the encrypter and authentication key 
in the supplier device, the most serious violation of security, 
which in the use of an unauthorized communication device 
as a supplier device, can be avoided. 

It is possible for the authentication key and the encrypter 
in the supplier device to be combined in a single IC chip and 
for the authentication key and the decrypter in the user 
device to be combined in a single IC chip. By doing so, it is 
very difficult to decode the encryption algorithm and authen- 
tication key using a unauthorized communication device, 
which improves the security of two-way authentication and 
makes secrecy management simple. 

It is also possible to equip the supplier device and user 
device with a common second authentication key and sec- 
ond encrypter, in addition to the aforementioned encrypter 
and decrypter, for two-way authentication. This is to say, the 
supplier device uses not only the first encrypter but also this 
second encrypter for both the verification of the authoriza- 
tion of other devices and the demonstration of the authori- 
zation of the present device. In the same way, the user device 
uses not only the decrypter but also this second encrypter for 
both the verification of the authorization of other devices 
and the demonstration of the authorization of the present 
device. By doing so, the security of the two-way authoriza- 
tion can be improved and, by having secrecy management 
performed for this pair of second authentication keys and 
second encrypters, secrecy management can be performed 
simultaneously for both devices. 

BRIEF DESCRIPTION OF THE DRAWINGS 

These and other objects, advantages and features of the 
invention will become apparent from the following descrip- 
tion taken in conjunction with the accompanying drawings 
which illustrate a specific embodiment of the invention. In 
the drawings: 

FIG. 1 shows an example construction of the communi- 
cation system required for two-way authentication; 

FIG. 2 shows the communication sequence when trans- 
ferring a copy of a title in the possession of a supplier device 
to a user device, according to the prior art; 

FIG. 3 is a block diagram showing the composition of the 
two-way authentication system in challenge response format 
to which the first embodiment of the present invention 
relates; 
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FIG. 4A shows an example of a substitutive transforma- 
tion; 

FIG. 4B shows an example of a non-substitutive trans- 
formation; 

5 FIG. 5 shows the communication sequence when trans- 
ferring a copy of a title in the possession of a supplier device 
to a user device, according to the present embodiment of the 
present invention; 
1Q FIG. 6 is a block diagram showing the composition of the 
two-way authentication system in challenge response format 
to which the second embodiment of the present invention 
relates; 

FIG. 7 shows the communication sequence when trans- 
]5 ferring a copy of a title in the possession of a supplier device 
to a user device, according to the second embodiment of the 
present invention; 

FIG. 8 is a block diagram showing the composition of the 
two-way authentication system in challenge response format 
20 to which the third embodiment of the present invention 
relates; 

FIG. 9 shows the phase transition and data exchanges 
when transferring a copy of a title in the possession of a 
supplier device to a user device via an SCSI bus; and 
25 FIG. 10 shows an example construction of an 8 bit data 
encrypter which is substitutive in nature. 

DESCRIPTION OF THE PREFERRED 
EMBODIMENTS 

30 First Embodiment 

A block diagram showing the composition of the two-way 
authentication system in challenge response format to which 
the first embodiment of the present invention relates is 
shown in FIG. 3. 
35 This system is composed of a supplier device 70 and a 
user device 90 which are connected via a network 85. 

The supplier device 70 is a communication device for 
supplying a copy of a title for which it holds the rights to an 
authorized user device 90, and is made up of sending/ 
40 receiving unit 86, construction elements for principally 
performing the authentication step (these being a first ran- 
dom number generator 71, a encryption module 74, a 
separator 75, a comparator 76, a second random number 
generator 77 and a linking unit 78) and construction ele- 
45 ments for principally performing the secret communication 
step (these being a shared key temporary storage unit 79, an 
encrypter 80 and a title storage unit 81). The operation 
timing of these construction elements is controlled by a 
system controller which is not illustrated. 
50 The sending/receiving unit 86 is made up of a signal level 
transformer or the like and executes the both data transmis- 
sion to the network 85 and data reception from the network 
85. 

The first random number generator 71 generates a 32-bit 
55 random number as the challenge data for the user device 90. 
The encryption module 74 is a single IC chip which 
performs the encryption for the authentication step, and 
includes an encrypter 72 for performing encryption E 2 using 
a first encryption algorithm and an authentication key stor- 
60 age unit 73 for storing a secret 64-bit authentication key KS 
which are combined in its internal construction. As one 
example, this encryption module 74 can conform to Data 
Encryption Standard (hereinafter, DES) and be of "substi- 
tution" type. The details of "substitution" are described later 
65 in this specification. 

The separator 75 separates the 64-bit data from the 
encrypter 72 into two sets of separated data which are the 
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higher-order 32 bits and the Lower-order 32 bits, before 
transferring the former to comparator 76 and the latter to 
linking unit 78. 

The comparator 76 compares the random number from 
the first random number generator 71 and the separated data 
from the separator 75 and judges whether the two coincide. 

The second random number generator 77 generates a 
32-bit random number for the shared key to be used in the 
secret communication step only after receiving notification 
from the comparator 76 that the two numbers coincide. 

The linking unit 78 generates 64,-bit data by setting the 
separated data from the separator 75 as the higher-order 32 
bits and the random number generated by the second random 
number generator 77 as the lower-order 32 bits. 

The shared key temporary storage unit 79 temporarily 
stores the one random number sent from the second random 
number generator 77. Then, only after receiving notification 
of positive authentication from the user device 90, the shared 
key temporary storage unit 79 sends the stored random 
number, which is to say the shared key K, to encrypter 80. 

The title storage unit 81 is made up of an optical disc for 
storing a movie or the like according to an established 
standard and a reproduction device for the disc. It stores the 
title data to be supplied to other authorized communication 
devices. 

The encrypter 80 performs encryption E 2 using the second 
encryption algorithm. It sets 64-bit units of data read from 
the title storage unit 81 as plaintext and performs encryption 
using the shared key K sent from the shared key temporary 
storage unit 79 as the encryption key. As one example, this 
second encryption algorithm can be a substitution encryp- 
tion performed for 64-bit units. 

On the other hand, the user device 90 is a communication 
device which is authorized to receive the copy of the tide 
from the supplier device 70 and to perform predetermined 
processing, with the user device 90 being composed of a 
sending/receiving unit 87, construction elements principally 
for performing the authentication step (a first random num- 
ber generator 94, a linking unit 95, a decryption module 93, 
a separator 96 and a comparator 97) and construction 
elements principally for performing the secret communica- 
tion step (a shared key temporary storage unit 98, a 
decrypter 99 and a title processing unit 89). The operation 
timing of these construction elements is controlled by a 
system controller which is not illustrated. 

The sendingfreceiving unit 87 has the same functions as 
the sending/receiving unit 86. 

The first random number generator 94 generates a 32-bit 
random number for the challenge data for the supplier 
device 70. 

The linking unit 95 generates 64-bit data by setting the 
challenge data from the user device 90 as the higher order 32 
bits and a random number from the first random number 
generator 94 as the lower order 32 bits. 

The decryption module 93 is a single IC chip which 
performs the decryption for the authentication step and 
includes a decrypter 91 for performing decryption D 1 using 
the first encryption algorithm and an authentication key 
storage unit 92 for storing a secret 64-bit authentication key 
KS which are combined in its internal construction. This 
decryption D 1 is the reverse of the encryption E r Here, the 
authentication key KS stored by remote control reception 
unit 92 is the same as that stored by the authentication key 
storage unit 73. 

The separator 96 separates the 64-bit data from the 
decrypter 91 into two sets of separated data made up of the 
higher order 32 bits and the lower order 32 bits. It sends the 
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former to the comparator 97 and the latter to the shared key 
temporary storage unit 98. 

The comparator 97 compares the random number from 
the first random number generator 94 with the separated data 

5 from the separator 96 and judges whether the two coincide. 
The shared key temporary storage unit 98 temporarily 
stores the separated data sent from the separator 96. 
However, only after receiving notification of coincidence 
from the comparator 97 does the shared key temporary 

10 storage unit 98 send a notification of such to the supplier 
device 70 and send the separated data, which is to say the 
shared key, to the decrypter 99. 

The decrypter 99 performs decryption D 2 according to the 
second encryption algorithm. In doing so, it sets the 64-bit 

15 data units which are sent from the supplier device 70 and 
which compose the title as plaintext end decrypts them using 
the shared key K sent from the shared key temporary storage 
unit 98 as the decryption key. This decryption D 2 is a reverse 
of the processing in encryption E 2 . 

20 The title processing unit 89 can be made up of a device for 
image reproduction of image data according to an estab- 
lished standard and performs the reproduction processing of 
the data sent from the decrypter 99. 
The following is an explanation of "substitution". The 

25 explanation supposes that encryption E performs the trans- 
formation E( ) of group SI to group S2 while the corre- 
sponding decryption performs reverse transformation D( ). 

In the above case, the classification of E( ) as a substitu- 
tion means that the following three conditions are satisfied. 

30 i. S1=S2. 

2. E( ) is a monomorphic. 

3. E( ) is a epimorphic. 

Here, E( ) is monomorphic because for unknown x and y 
35 in SI, the relation x=y is valid when E(x)=E(y). E( ) is 
epimorphic because for any unknown z in S2, there is an 
unknown w in SI which satisfies E(w) —z. It should be noted 
here that if E( ) is a substitution, D( ) must also be a 
substitution. 

4(J The following explanation deals with the above on the 

relationship between E( ) and D( ). 

Firstly, if E( ) is epimorphic, since D( ) is the reverse 

transformation of E( ), for any unknown x in SI, the result 

D(E(x)), which is the reverse transformation using D( ) of 
45 the result E(x) when x has been converted using E(x), will 

be equal to x. This is to say, the following Equation 1 is 

satisfied. 

x =£>(£(*)) (Equation 1) 

50 Here, since S1-S2, for any unknown x in SI, the result 
D(x) of reverse transformation using D( ) will be an 
unknown in SI. Accordingly, D(x) can be substituted for x 
in Equation 1 to give Equation 2 below. 

55 D(x)=D(E(D(x))) Equation 2) 

Also, since D( ) is monomorphic, Equation 3 below can 
be established from Equation 2. 

x=E(D(x)) (Equation 3) 

60 

The above Equation 3 states that the result E(D(x)) which 
is given by converting the result D(x), obtained by having 
reverse converted an arbitrary unknown x using D( ), 
according to E( ) is equal to x. 
65 As can be seen from Equations 1 and 3 above, for 
encryption techniques which are substitutive in nature, both 
decryption after encryption and encryption after decryption 
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result in a return to the original plaintext. The encryption Step S47 

technique used by the present system is such a substitution. On receiving the separated data RR1, the comparator 76 

Here, in order to assist the reader's understanding, compares this separated data RR1 with the random number 

examples of substitutive transformation and non-substitutive R1 received from the first random number generator 71 and 

transformation will be given, with the former being shown 5 notifies the second random number generator 77 of the 

in FIG. 4A and the latter being shown in FIG. 4B. Here, SI ™ m P a "?? n ^ ult * 

and S2 are groups based on all of the data which can be Me P s . 

, . .K ... - iUt . ,i«.,™k^ w ™ On receiving notification of coincidence from the com- 

expressed using throe bits, ^ h ^^ n ™^S P^ator 76, the second random number generator 77 gener- 

elements in SI and S2 being shown by the arrows In the ^ random number R for ^ sharcd ^ ^ ^ - t tQ thc 

transformation shown in FIG. 4B, neither the condiUon of 10 un[{ ?g and (o ^ ghared key temporary storage unil 

monomorphism nor that of epimorphism are satisfied. ?9 ^ equates to me case wnen me supplier device 70 has 

The following is an explanation of the operation of the been able t0 C0Qnnn that the user device 90 is authorized, 

present system with reference to the sequence shown in FIG. On the other hand, on receiving notification of non- 

5. coincidence from the comparator 76, the second random 

FIG. 5 shows the communication sequence when a copy 15 number generator 77 does not generate random number K 

of a title belonging to the authorized supplier device 70 is and so does not perform the processing described above, 

transferred to the authorized user device 90. This drawing This equates to the case when the supplier device 70 has not 

corresponds to FIG, 2 in the prior art section and shares been able to confirm that the user device 90 is authorized, 

many steps with the prior art example. The differences lie in On receiving the shared key K, the linking unit 78 links 

encrypter and decrypter used in steps S43, S45, S48 and 20 the shared key K with the separated data RR2 from the 

S50. Each step in FIG. 5 in explained below with reference separator 75 and sends this linked data (RR2||K) to the 

to the block diagram in FIG. 3. encrypter 72. , nMHT ~ , . 

Steps S41 S42 Tiie encrv P ter 72 sets me lmk ed data (R R2 II K ) as plaintext 

First, the first random number generator 71 in the supplier and performs encryption E, according to the first algorithm 

device 70 generates random number Rl and transmits it as M using the authentication key KS stored in the authentication 

challenge data CHA1 to the user device 90 via the sending/ key storage unit 73 as the encryption key. The cryptogram E, 

receiving unit 86 and the network 85. (KS RR2||K) thus obtained is then sen to the user device 90 

cai as the response data RES2 in reply to the challenge data 

Meps a4,J, J>44 RESCHA 

On receiving ;the ^challenge data CHA3 .viz th e _senchng/ ^ f ?() ^ M ^ 

receiving umt 87, the linking umt 95 m Je ^ dev ce 90 ? £ ^ ^ ^ gQ ^ 

obtams random number R2 from me fir^don, number P to ^ ,„ ( 

generator 94 as challenge data for the supplier device 7U, » * . nA , ^ / 

and links these two as the data CHA1||R2. llthen sends this S48)' .sing only one encryption module 74, winch was not 

linked data (CHA1||R2) to the decrypter 91. sTsSO 

The decrypter 91 sets thin linked data (CHAl|p2) an a e P receiv . ^ ^ R£S2 ^ ^ % ^ ft aJ 

cryptogram and performs decryption D, accordmg ; to the aintext ^ ms d , ion D accordi t0 the first 

first encryption a gon thro usmg the authenUca ion key KS P ^ » authentication key KS stored 

stored in the authentication key sto age umt 92 as the ^\ uth J lkition key storage unit 92 as the encryption 

decryption key. It should be noted here that while in step S23 / & 

of the prior art the linked data (CHA1||R2) was subjected to 40 ^* 

encryption E 3 , for the present system the linked data is C P ^ ^ ^ {e& ^ ^ X1 of ^ 

subjected to decryption D l7 with these two processes being decryption Dj £ y ^ decrypter 91 and sen ds the separated 

different. ^ « . , f data RRR2 corresponding to the separated data RR2 to the 

Hie message D, (KS,CHA1||R2) obtained from the 45 comparator 97 and the separated data KK corresponding to 

decryption D, is the response data to the challenge data ^ sh&red . R tQ lhe shared k temporary stora ge unit 

CHA1 and is transmitted to the supplier device 70 as the ^ 

challenge data RESCHA for supplier device 70. stej)S s ^ S53 

Step S45 Q n rcc eiving the separated data RRR2, the comparator 97 

On receiving this data RESCHA, the encrypter 72 sets it 50 com p ares this separated data RRR2 with the random number 

as plaintext and performs encryption E 1 according to the first ^ received from the first random number generator 94 and 

encryption algorithm using the authentication key KS stored sends notification of the comparison result to the shared key 

in the authentication key storage unit 73 as the encryption temporary storage unit 98. 

key. It should be noted here that while in step S25 of the The shared key temporary storage unit 98 temporarily 

prior art the data RESCHA was subjected to decryption D lf 55 slore s the separated data KK received from the separator 96. 

for the present system the linked data is subjected to Qn receiving notification of coincidence from the compara- 

encryption E ly with these two processes being different. lor 97^ me shared key temporary storage unit 98 sends 

In this way, for plaintext CHA1, the present system notification of this to the supplier device 70 and sends the 

performs encryption E x (step S45) after first performing separated data KK (which is the same as the shared key K) 

decryption Dj (step S43), which, as can be seen from 60 to decrypter 99. This equates to the case when the user 

Equation 3, returns the data to the original plaintext CHA1. device 90 has been able to confirm that the supplier device 

Step S46 70 is authorized. This is to say, the two-way authentication 

Next, the separator 75 separates the result XI of the is positively completed at the game time as the provision of 

encryption E ± by the encrypter 72 and sends the separated the shared key K for the following secret communication is 

data RR1 corresponding to the challenge data CHA1 to the 65 completed. 

comparator 76 and the separated data RR2 corresponding to On the other hand, on receiving notification of non- 
random number R2 to the linking unit 78. coincidence from the comparator 97, the shared key tem- 
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porary storage unit 98 does not perform transmission to the 
supplier device 70 or to the decrypter 99. Accordingly, the 
following processes described above are not performed. 
This equates to the case when the user device 90 has not 
been able to confirm that the supplier device 70 is autho- 5 
rized. 

Steps S54, S55 

On receiving notification of positive authentication from 
the user device 90, the shared key temporary storage unit 79 
sends the previously-stored random number, which is to say 10 
shared key K, to the encrypter 80 which performs the 
encryption E 2 according to the second encryption algorithm. 

The encryptor 80 sets a copy of the title stored in the title 



perform the more significant violation of secrecy which is 
the unauthorized supply of such titles. 
Second Embodiment 

The following is an explanation of the two-way authen- 
tication system of challenge response format to which the 
second embodiment of the present invention relates. The 
present system features an improvement in the security of 
the two-way authentication over the system in the first 
embodiment. 

FIG. 6 is a block diagram showing the composition of the 
two-way authentication system in challenge response format 
to which this second embodiment of the present invention 
relates. 

As can be seen by comparing the present figure with FIG. 



storage unit 81 as plaintext and performs encryption E 2 
according to the second encryption algorithm, using the 15 3, in the present system the supplier device 170 includes a 
shared key K sent from the shared key temporary storage new encryption module 84 in addition to the construction 
unit 79 as the encryption key, before transferring the elements of the supplier device 70 in the first embodiment 
encrypted result to the user device 90. end the user device 190 includes a new encryption module 

Step S56 103 in addition to the construction elements of the user 

On receiving the encrypted copy of the title, the decrypter 20 device 90 in the first embodiment. It should be noted here 
99 sets this as a cryptogram and performs decryption D 2 that the construction elements in FIG. 6 which are the same 
according to the second encryption algorithm using the as those in the system of the first embodiment have been 

given the same reference numerals. 

The encryption modules 84, 103 are each made up of a 
25 single IC chip which performs the encryption for the authen- 
tication step, with an encrypter (respectively 82, 101) for 



shared key K sent from the shared key temporary storage 
unit 98 as the decryption key. 

By doing so, the authentication step and secret commu- 
nication step are completed as in the prior art. This is to say, 
if a same encryption algorithm is used as in the prior art, the 
authentication step and secret communication step for the 
present invention will be just as secure as in the prior art. 



performing encryption E3 using a third encryption algorithm 
and an authentication key storage unit (respectively 83, 102) 
for storing a second authentication key KS being combined 



However, as can be clearly seen from FIGS. 2 and 5, the 30 in each of their internal constructions. This is to say, the 



authorized supplier device 15 and the authorized user device 
16 in the prior art both include an encrypter and a decrypter, 
while for the present system, the supplier device 70 only 
contains an encrypter 72 and the user device 90 only 
contains a decrypter 91. 

The above construction is possible since the encryption 
algorithm used by the encrypter 72 and the decrypter 91 is 
a substitution and since a same encrypter (or decrypter) is 
used both to check the authorization of the other device and 
to prove the authorization of the present device. 

Accordingly, for the present system, the supplier device 
70 no longer needs the decrypter which was used in the prior 
art and the user device 90 no longer needs the encrypter 
which was used in the prior art, so that both devices can be 
made more compact. 

At the same time, secrecy management for maintaining 
the security of two-way authentication becomes more simple 
with the present system. This is because the mechanism (the 
encryption module 74) to be kept secret for the supplier 



encryption module 84 and the encryption module 103 have 
the same construction elements, with these being different 
for the encryption module 74, the encrypter 80, the decryp- 
tion module 93 and the decrypter 99. This encryption E 3 
according to the third encryption algorithm can, for 
example, be a substitution encryption performed for 64-bit 
units. 

As can be seen from FIGS. 3 and 6, in addition to the 
provision of encryption modules 84 and 103, the data 
transfer circuits in each of the communication devices are 
different in part to those in the first embodiment. 

The following is an explanation of the operation of the 
present system with reference to the communication 
sequence shown in FIG. 7, The explanation will focus on the 
45 differences in processing content to the first embodiment. 
Steps S141, S142 

First, the first random number generator 71 generates 
random number Rl and transmits it to the user device 190 



35 



40 



as challenge data CHA1 for the user device 190 in the same 

device 70 is different from the mechanism (decryption 50 way as in the first embodiment. However, unlike the first 

module 93) to be kept secret for the user device 90. embodiment it also sends the random number Rl to the 

This is to say, should an unauthorized communication encrypter 82. 

device succeed in acquiring the encryption module 74, while Step S143 

this unauthorized communication device may be used as an The encrypter 101 receives the challenge data CHA1 from 

authorized supplier device 70, it cannot be used as an 55 the supplier device 170. 

authorized user device 90. Similarly, while an unauthorized The encrypter 101 sets this challenge data CHA1 as an 

communication device which has acquired the decryption cryptogram and performs encryption E 1 according to the 

module 93 may be used as an authorized user device 90, it third encryption algorithm using the second authentication 

cannot be used as an authorized supplier device 70. key KS2 stored in the authentication key storage unit 102 as 

As a result, as one example, by performing the secrecy 60 the decryption key. 

management of the encryption module 74 supplied to com- This step is added to the sequence used in the first 

panies which manufacture the authorized supplier device 70 embodiment to improve the security of the authentication of 
more securely than the secrecy management of the decryp- 
tion module 93 supplied to companies which manufacture 

the authorized user device 90, the worst possible violation of 65 
secrecy can be avoided. This is to say, even if an unautho- 
rized user can view titles, they will still not be able to 



the user device 190 by the supplier device 170. 
Steps S144, S145 

The first random number generator 94 generates the 
random number R2 an the challenge data for the supplier 
device 170 and sends It to the linking unit 95 in the same 
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way as in the first embodiment, but, unlike the first 
embodiment, also sends the random number R2 to the 
encrypter 101. 

The linking unit 95 links the cryptogram XI obtained in 
step S143 and the random number R2 generated by the first 
random number generator 94. 

The decrypter 91 sets the linked data (X1||R2) from the 
linking unit 95 as a cryptogram and performs decryption Dj 
according to the first encryption algorithm using the authen- 
tication key KS stored in the authentication key storage unit 
92 as the decryption key. It then sends the obtained data 
RESCHA to the supplier device 170 as both the response 
data and as the challenge data. 

In this way, while the challenge data CHA1 from the 
supplier device 170 was inputted directly into the decrypter 
91 in the first embodiment, in the present system it is 
subjected to encryption E 3 by encrypter 101 before being 
inputted into the decrypter 91. 
Step S146, S147 

The processing in these steps is equivalent to the reverse 
of the processing in step S144 and is the same as the 
processing in steps S45 and S46 in the first embodiment. 

This is to say, the data X2 obtained by the processing in 
step S146 corresponds to the linked data (X1||R2). The 
separated data XXI obtained in step S147 corresponds to 
cryptogram XI and the separated data RR2 corresponds to 
random number R2. Note here that the separator 75 sends 
the separated data RR2 to the encrypter 82. 
Step S148 

The encrypter 82 which received the random number Rl 
from the first random number generator 71 in step S141 sets 
this random number as plaintext and performs encryption E 3 
according to the third encryption algorithm using the authen- 
tication key KS2 stored by the authentication key storage 
unit 92, 

This step corresponds to step S143 for the user device 
190, This is to say, the cryptogram X3 obtained from 
encryption E 3 in step S148 corresponds to the cryptogram 
XI obtained from encryption E 3 in step SI 43 and also 
corresponds to the separated data XXI obtained from the 
separation in step S147. 

It should be noted here that the processing in this step 
S148 is performed at the same time as the processing in steps 
S146 and S147, since it is not necessary for these steps to 
follow one another. 
Step S149 

On receiving the separated data XXI from the separator 
75, the comparator 76 compares the separated data XXI 
with the cryptogram X3 received from the encrypter 82 and 
notifies the second random number generator 77 of the 
comparison result. 
Step S150 

Having received the separated data RR2 from the sepa- 
rator 75 in step S147, the encrypter 82 sets the separated data 
RR2 as plaintext and performs the encryption E 3 according 
to the third encryption algorithm using the authentication 
key KS2 as the encryption key. It then sends the resulting 
cryptogram X4 to the linking unit 78. 

This step is added to the sequence used in the first 
embodiment to improve the security of the authentication of 
the supplier device 170 by the user device 190. 

It should be noted here that the processing in thin step 
S150 is performed at the same time as the processing in steps 
S149, since it is not necessary for these steps to follow one 
another. 

Steps S151, S152 

On receiving notification of coincidence from the com- 
parator 76, the second random number generator 77 gener- 
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ates a random number K for the shared key and transfers it 
to the linking unit 78 and to the shared key temporary 
storage unit 79. This equates to the case when the supplier 
device 170 has been able to confirm that the user device 190 

5 is authorized. 

On the other hand, on receiving notification of non- 
coincidence from the comparator 76, the second random 
number generator 77 does not generate a random number K 
and does not perform the following processes. This equates 

10 to the case when the supplier device 170 has not been able 
to confirm that the user device 190 is authorized. 

On receiving the shared key K, the linking unit 78 links 
the shared key K with the cryptogram X4 from encrypter 82 
and sends this linked date (X4||K) to the encrypter 72, 

15 The encrypter 72 sets the linked data (X4||K) as plaintext 
and performs encryption E 1 according to the first algorithm 
using the authentication key KS stored in the authentication 
key storage unit 73 as the encryption key. The cryptogram E 1 
(KS,X4||K) thus obtained is then sent to the user device 90 

20 as the response date RES2. 
Steps S153, S154 

The processing in these steps is the equivalent of a reverse 
of the processing in step S151 and is the same as the 
processing in steps S50 and S51 in the first embodiment. 

25 This is to say, the data X5 obtained from the processing 
in step S153 corresponds to the linked data (X4||K). In the 
same way, the separated data XX4 obtained by the process- 
ing in step S154 corresponds to the cryptogram X4 and the 
separated data KK corresponds to the shared key K. 

30 StepS155 

The encrypter 101 sets the second random number R2 
which it received from the first random number generator 94 
in step S144 as plaintext and performs encryption E 2 accord- 
ing to the third encryption algorithm using the authentication 

35 key KS2 stored in the authentication key storage unit 102 as 
the encryption key. 

This step corresponds to step SI 50 in the supplier device 
170. This is to say, the cryptogram X6 obtained from 
encryption E 3 in this step corresponds to the cryptogram X4 

40 obtained from encryption E 3 in step S150 and so also to the 
separated data XX4 which is obtained by the separation in 
step S154. 

It should be noted here that the processing in this step 
S154 is performed at the same time as the processing in steps 
45 S153, since it is not necessary for these steps to follow one 
another. 

Steps S156, S157 

The comparator 97 compares the separated data xx4 from 
the separator 96 and the cryptogram X6 from the encryptor 

50 101 and informs the shared key temporary storage unit 98 of 
the comparison result. 

The shared key temporary storage unit 98 temporarily 
stores the separated data sent from the separator 96, On 
receiving notification of coincidence from the comparator 

55 97, the shared key temporary storage unit 98 informs the 
supplier device 170 of this result and sends the separated 
data KK (which correspond to the shared key K) to the 
decrypter 99. This equates to the case when the user device 
190 has been able to confirm that the supplier device 170 is 

60 authorized. This is to say, the two-way authentication is 
positively completed at the same time as the provision of the 
shared key K for the following secret communication is 
completed. 

On the other hand, on receiving notification of non- 
65 coincidence from the comparator 97, the shared key tem- 
porary storage unit 98 does not perform transmission to the 
supplier device 170 or to the decrypter 99. Accordingly, the 
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following processes described above are not performed. supplier device 70 and the user device 90 of the first 

This equates to the case when the user device 190 has not embodiment. Each of SCSI controllers 210, 220 is made up 

been able to confirm that the supplier device 170 is autho- of a CPU ROM, RAM and the like and executes processing 

rized. which is standardized for SCSI, 

Steps S158-S160 5 * n me present system, the supplier device 270 is an optical 

The processing in these steps is the same as the processing disc reproduction device, the user device 290 is a host 

in steps S54-S56 in the first embodiment so that no expla- s Y stem > the network 85 * an SCSI bus > the ending/ 

nation will be given. receiving unit 86 is an I/O controller for SCSI and the 

By means of the above processing, a copy of a title in the sending/receiving unit 87 is a host adapter, 

possession of an authorized supplier device 15 is distributed 10 F ° r SC $ l > a P air ^devices first occupy the bus and then 

only to authorized user devices, with eavesdropping by a perfoim data transfer of the object data by advancing 

third communication device during distribution being pre- thr ™g h * e fow phases called command , data , status 

ventec l and "message . As one example, the phase transition when 

As can be seen by comparing the sequences in FIG. 5 and a first device reads data from a second device 15 ™ shown 

FIG. 7, steps S143, S148, S150 and S155 in FIG. 7 have is below - 

been added to the processing in the sequence for the first 1- Command phase: the first device transmits a command 

embodiment. This is to say, the supplier device 170 and the (READ) to the second device. 

user device 190 are equipped with encryption modules 94 2. Data phase; the second device sends data of the 

and 103, for performing encryption E 3 according to the third designated length to the first device, 

encryption algorithm, which were not provided to the sup- 20 3. Status phase: the second device reports its status (the 

plier device 70 and the user device 90 in the first embodi- execution result of the above command) to the first 

ment. Furthermore, in order to check the authorization of device. 

user devices and to prove its own authorization, the supplier 4. Message phase: the second device sends a message to 

device 170 uses not only the encryption module 74 but also the first device (command complete), 

a second encryption module 84. In the same way, in order to 25 Here, since the definition of vendor unique commands is 

chock the authorization of a supplier device and to prove its permitted for SCSI, the authentication command and the 

own authorization, the user device 190 uses not only the secret communication command are uniquely defined in the 

encryption module 93 but also a second encryption module present embodiment. More specifically, the SCSI controllers 

103. 210 and 220 contain processing programs which correspond 

Due to the construction and processing described above, 30 to these commands in their internal ROMS, 

the system of the second embodiment has all of the advan- FIG. 9 shows the phase transition and data exchanges 

tages of the system of the first embodiment, while at the when transferring a copy of a title in the possession of the 

same time increasing the security of the two-way authenti- supplier device 270 to the user device 290 via the SCSI bus. 

cation process. These data exchanges are performed according to control 

It should be noted here that since the encryption module 35 operations by SCSI controllers 210 and 220. 

84 in the supplier device 170 is the same as the encryption Step 5201 (Command Phase) 

module 103 in the user device 190, secrecy management for The user device 290 sends an authentication command to 

these modules should be performed more securely than for the supplier device 270. 

the encryption module 74 and the decryption module 93. Step S202 (Data Phase) 

This can be effectively realized, for example, by using a 40 Data is exchanged between the user device 290 and the 

separate IC chip for each of the encryption module 84, the supplier device 270 according to the authentication step 

encryption module 103, the system controller In supplier (steps S41-S53 in FIG. 5). 

device 170 and the system controller in user device 190. By Step S203 (Status Phase) 

doing so, the security of the two-way authentication process The supplier device 270 informs the user device 290 of 

can be improved by increasing the security with which 45 the execution result of the aforementioned authentication 

secrecy management for the encryption module 74 and the command, 

decryption module 93 is performed. Step S204 (Message Phase) 

As described above, while improving the security of the The supplier device 270 sends a message ("command 

two-way authentication, the present system has the advan- complete") to the user device 290. By doing so, the two-way 

tage of enabling secrecy management for both communica- 50 authentication and the establishment of the secret key K are 

tion devices to be achieved through secrecy management of completed. 

one encryption module. Next, the following exchanges are performed. 

Third Embodiment Step S205 (Command Phase) 

The following is an explanation of the two-way authen- The user device 290 sends a secret communication com- 

tication system of challenge response format to which the 55 mand to the supplier device 270. 

third embodiment of the present invention relates. The Step S206 (Data Phase) 

present system equates to the case where a transfer proce- The supplier device 270 encodes the title using the secret 

dure for an SCSI (Small Computer System Interface) which key K established in step S202 and sends a title data of a 

is a representative standard input/output interface is used in specified data length to the user device 290. 
the authentication step and the secret communication step of 60 Step S207 (Status Phase) 

the system in the first embodiment.' The supplier device 270 informs the user device 290 of 

FIG. 8 is a block diagram showing the composition of the the execution result of the aforementioned secret commu- 

two-way authentication system in challenge response format nication command, 

to which this third embodiment of the present invention Step S208 (Message Phase) 

relates. 65 The supplier device 270 sends a message ("command 

As can be seen by comparing the FIG, 3 and FIG. 8, SCSI complete") to the user device 290. By doing so, the transfer 

controllers 210, 220 have respectively been added to the of title data using secret communication is completed. 
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By means of the above procedures, the present system can 
perform two-way authentication and secret communication 
adapted to an SCSI. 

The following is an explanation of the disconnect and 
reconnect functions with which the present system is 
equipped. 

Under SCSI, disconnect and reconnect functions are 
defined to enable efficient use to be made of the SCSI bus. 
Here, one example is when seek time (the time taken for 
move the head position) becomes necessary when an optica] 
disc reproduction device executes a command to read a large 
amount of data from an optical disc. In such a situation, there 
is a holdup in the reading of data from the optical disc 
reproduction device so that the SCSI bus is temporarily 
unused. In such a situation, the efficiency with which the 
SCSI bus is used can be improved by both devices tempo- 
rarily disconnecting from the bus to allow use by other 
devices and then requesting to reconnect to the SCSI bus 
once the necessary preparations for data transfer have been 
made. 

The problem with the above procedure is the danger of an 
unauthorized third party joining the communication when 
the above kind of disconnect and reconnect operations are 
made. Accordingly, when both devices resume communica- 
tion after a reconnect, it is necessary to have both devices 
agree on a method for excluding unauthorized devices. 

The present system overcomes the aforementioned prob- 
lem by having the supplier device 270 and the user device 
290 establish the following before disconnecting. 

Whether to perform two-way authentication according to 
the procedure described above (steps S201-S204) every 
time a reconnect is performed, whether to perform a sim- 
plified authentication of only one of the devices or whether 
to not perform authentication at all. 

Whether to establish a new secret key according to the 
procedure described above (steps S201-S204) when a 
reconnect is performed, or whether to perform data transfer 
using the same secret key as before. 

More specifically, by informing the user device 290 of a 
procedure stored beforehand in the SCSI controller 210, 
both communication devices end up storing the same infor- 40 
mation about disconnects and reconnects. Accordingly, 
when a reconnect is performed, communication devices 270 
and 290 perform such processes as authentication and the 
establishment of a secret key in accordance with the stored 
information. By doing so, inconsistencies in the exchanges 45 
between devices after a reconnect can be avoided and the 
reconnect can proceed smoothly. 

The two-way authentication system of the present inven- 
tion has been explained using the preceding three 
embodiments, although it should not be construed as being 50 
limited to such. Some examples of possible modifications 
are listed below. 

1. While the first embodiment described that the encryp- 
tion Ej according to the first encryption algorithm was 
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substitution unit and exclusive OR unit an one block and 
connecting a plurality of the same kind of blocks in series or 
in parallel. A decrypter is produced by connecting a bit 
substitution unit 301 and an exclusive OR unit 302 in reverse 
order. 

In the above embodiments, the encryption E 2 according to 
the second encryption algorithm and the encryption E 3 
according to the third encryption algorithm wore described 
as being substitutive encryption performed for 64-bit unit 
data, although the present invention is not limited to this 
kind of encryption. In fact, provided the first encryption 
algorithm satisfies the Equations 1 and 3 given above, the 
second and third encryption algorithms only need to satisfy 
Equation 1. 

2. In the first embodiment, the fundamental procedure 
used by each communication device in authenticating 
the other was the generation of a random number to be 
sent as challenge data, the encryption (or decryption) of 
the response data which comes in reply and the com- 
parison of the generated random data with the 
encrypted (decrypted) result, although the present 
invention is not limited to this procedure. 

As one example, a random number may be encrypted (or 
decrypted) before being sent to the other device, with the 
response data then being compared to this random number. 
This procedure is equally secure. 

3. In the second embodiment, an identical encryption 
module (84, 103) was provided in each of the supplier 
device 170 and the user device 190 to increase the 
security of the two-way authentication, although the 
present invention is not limited to this particular con- 
struction. 

As one example, an encryption module may be provided 
to the user device 190, with a corresponding decryption 
module being provided to the supplier device 170. By 
strictly controlling both of these modules, an increase in the 
security of two-way authentication can be achieved. 

4. In the third embodiment, the procedure stored before- 
hand in the SCSI controller 210 in the supplier device 
270 was given priority in determining the procedure to 
be used after a reconnect, although the present inven- 
tion need not be limited to such, so that a procedure 
stored in the user device 290 may be given priority. 

5. The system of the third embodiment was described as 
corresponding to the system of the first embodiment 
which has been adapted to SCSI standard, although the 
present invention is not limited to this. The system of 
the second embodiment may similarly be adapted to 
SCSI standard. Also, the systems of the second and 
third embodiments may use a different communication 
protocol to SCSI standard, such as a communication 
protocol which includes a command phase and a data 
transfer phase. 

Although the present invention has been fully described 
by way of examples with reference to the accompanying 



standardized for DES, the present invention is not 55 drawings, it is to be noted that various changes and modi- 



limited to such an encryption method. 

FIG. 10 shows an 8 bit data encryptor which is substitu- 
tive in nature. Here, the 8 -bit plaintext X is converted into 
the intermediate data Y by bit substitution unit 301, before 
the exclusive OR unit 302 performs exclusive OR operations 60 
for each bit of intermediate data Y and the key data K which 
converts it into the cryptogram Z. As one example, when the 
plaintext X is "11110000" and the key data is "01010101" 
the intermediate data Y becomes "01010101" and the cryp- 
togram z becomes "00000000". 65 

Complex encrypters of a substitutive nature can be pro- 
duced by setting the combination of the above kinds of bit 



fications will be apparent to those skilled in the art. 
Therefore, unless such changes and modifications depart 
from the scope of the present invention, they should be 
construed as being included therein. 
What is claimed is: 

1. A communication apparatus for performing two-way 
authentication in challenge response format with another 
communication apparatus on a communication channel, the 
communication apparatus comprising: 

first authentication key storage means for storing a first 
authentication key which is only provided to authorized 
communication apparatuses; 
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first data converting means for performing a data conver- 
sion determined by the first authentication key, the data 
conversion being based only on a single algorithm, 
wherein an inverse conversion for the data conversion 
exists and subjecting a plaintext to the data conversion 5 
and the inverse conversion in any order restores the 
plaintext to an original form; 

authenticating means for authenticating the other com- 
munication apparatus using communication in the chal- 
lenge response format and the data conversion per- 10 
formed by the first data converting means; and 

proving means for proving an authorization of a present 
communication apparatus using communication in the 
challenge response format and the data conversion 
performed by the first data converting means, 

2. The communication apparatus of claim 1, 
wherein the authenticating means includes: 

a challenge data transmitting unit for generating a 
random number and transmitting the random number 
to the other communication apparatus as challenge 
data; and 20 
a verifying unit for receiving response data from the 
other communication apparatus, for converting the 
response data using the first data converting means, 
for comparing the converted response data with the 
generated random number and for notifying the other 25 
communication apparatus of an authentication of the 
other communication apparatus if the converted 
response data coincides with the random number, 
wherein the proving means receives the challenge data ^ 
from the other communication apparatus, converts the 
challenge data using the first data converting means and 
transmits the converted challenge data to the other 
communication apparatus as response data. 

3. The communication apparatus of claim 2 for perform- 35 
ing data transfer after two-way authentication has been 
achieved, the communication apparatus further comprising; 

shared key obtaining means for obtaining a shared key 
according to a certain procedure if both the present 
communication apparatus and the other communication 4Q 
apparatus have been authenticated by each other; 

second data converting means for performing a data 
conversion determined by the shared key; and 

data transferring means for performing the data transfer of 
the converted data using the second data converting 45 
means. 

4. The communication apparatus of claim 3, wherein the 
first authentication key storage means and the first data 
converting means are combined in one integrated circuit. 

5. The communication apparatus of claim 4, further 50 
comprising: 

second authentication key storage means for storing a 

second authentication key which is only provided to 

authorized communication apparatuses; 
third data converting means for performing a date con- 55 

version determined by the second authentication key, 

wherein 

the second authentication key storage means and the 
third data converting means are combined in one 
integrated circuit, 60 

wherein the authenticating means authenticates the 
other communication apparatus using the first data 
converting means and the third data converting 
means, and the proving means proves an authoriza- 
tion of a present communication apparatus using the 65 
first data converting means and the third data con- 
verting means. 



937 

20 

6. The communication apparatus of claim 4, wherein the 
communication apparatus includes two communication 
states called a command phase and a data transfer phase and 
the communication apparatus further comprises: 

authentication controlling means for controlling the 
authenticating means, the proving means, and the 
shared key obtaining means during the command phase 
to have the authenticating means authenticate the other 
communication apparatus, to have the proving means 
prove the authorization of the present communication 
apparatus and to have the shared key obtaining means 
obtain the shared key; 

data transfer controlling means for controlling the data 
transferring means during the data transfer phase to 
have the data transferring means transfer the converted 
data. 

7. The communication apparatus of claim 6, wherein the 
communication apparatus includes a disconnect function 
which is used for temporarily closing an established con- 
nection to make the communication channel available and a 
reconnect function which is used for reopening the tempo- 
rarily closed connection, the communication apparatus fur- 
ther comprising: 

deciding means for exchanging information with the other 
communication apparatus and storing a common pro- 
cedure before a disconnect is performed for an estab- 
lished connection, 

wherein the common procedure includes information as to 
whether to re -execute an authentication by the authen- 
ticating means, whether to re-execute proving by the 
proving means, whether to re-execute an obtaining of 
the shared key by the shared key obtaining means, and 
whether to re-execute a data transfer by the data trans- 
ferring means. 

8. A communication system which is made up of a 
supplier apparatus that supplies information and a user 
apparatus that uses the information and which performs 
two-way authentication in challenge response format on a 
communication channel, wherein the supplier apparatus 
comprises: 

first authentication key storage means for storing a first 
authentication key which is only provided to authorized 
supplier apparatuses; 

first encrypting means for performing an encryption deter- 
mined by the first authentication key, wherein the 
encryption is based only on a single algorithm, wherein 
an inverse conversion for the data conversion exists and 
subjecting a plaintext to the data conversion and the 
inverse conversion in any order restores the plaintext to 
an original form and wherein the first encrypting means 
is combined with the first authentication key storage 
means in one integrated circuit; 

authenticating means for authenticating the user appara- 
tus; and 

proving means for proving an authorization of the sup- 
plier apparatus using the communication in the chal- 
lenge response format and the encryption performed by 
the first encrypting means, 
and the user apparatus comprising: 
user first authentication key storage means for storing 
the same first authentication key as the first authen- 
tication key storage means in the supplier apparatus; 
first decrypting means for performing a decryption 
determined by the first authentication key, wherein 
the decryption is a reverse conversion of the encryp- 
tion performed by the first encrypting means in the 



06/17/2004, EAST Version: 1.4.1 



6,028,' 

21 

supplier apparatus and wherein the user first authen- 
tication key storage means and the first decrypting 
means are combined in one integrated circuit; 

user authenticating means for authenticating the sup- 
plier apparatus using communication in challenge 5 
response format and the decryption performed by the 
first decrypting means; and 

user proving means for proving an authorization of the 
user apparatus using the communication in challenge 
response format and the decryption performed by the 10 
first decrypting means. 

9. The communication system of claim 8, wherein the 
supplier apparatus further comprises: 

shared key obtaining means for generating a random 
number as a shared key, for encrypting the shared key 15 
using the first encrypting means, and for transmitting a 
cryptogram obtained from the encryption to the user 
apparatus; 

second encrypting means for performing an encryption 

determined by the shared key; and 20 
information transmitting means for encrypting informa- 
tion using the second encrypting means and transmit- 
ting the encrypted information to the user apparatus, 
only after receiving a notification of authentication 25 
from the user apparatus, 
wherein the user apparatus further comprises: 
user shared key obtaining means for decrypting the 
cryptogram sent from the supplier apparatus using 
the first decrypting means if the authenticating 30 
means has authenticated the supplier apparatus and 
for storing a plaintext obtained from the decryption 
as the shared key; 
second decrypting means for performing a decryption 
determined by the shared key, wherein the decryp- 3S 
tion is a reverse conversion of the encryption per- 
formed by the second encrypting means in the sup- 
plier apparatus; and 
information receiving means for receiving the 
encrypted information transmitted by the informa- 40 
tion transmitting means of the supplier apparatus and 
decrypting the encrypted information using the sec- 
ond decrypting means. 

10. The communication system of claim 9, 

wherein the supplier apparatus further comprises: 45 
second authentication key storage means for storing a 
second authentication key which is only provided to 
supplier apparatuses which have been authorized; 
and 

third encrypting means for performing an encryption 50 
determined by the second authentication key, 
wherein the third encrypting means and the second 
authentication key storage means are combined in 
one integrated circuit, 

wherein the authenticating means authenticates the user 55 
apparatus using the first encrypting means and the 
third encrypting means, and the proving means 
proves an authorization of the supplier apparatus 
using the first encrypting means and the third 
encrypting means, 60 
and the user apparatus further comprises: 

user second authentication key storage means for stor- 
ing the same second authentication key as the second 
authentication key storage means in the supplier 
apparatus; 65 

user third encrypting means for performing the same 
encryption as the third encrypting means in the 
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supplier apparatus, wherein the user third encrypting 
means and the user second authentication key stor- 
age means are combined in one integrated circuit, 
wherein the user authenticating means authenticates the 
supplier apparatus using the first decrypting means 
and the user third encrypting means, and the user 
proving means proves an authorization of the user 
apparatus using the first decrypting means and the 
user third encrypting means. 
11. The communication system of claim 9, wherein 
the supplier apparatus includes two communication states 
called a command phase and a data transfer phase, and 
further includes a disconnect function which is used for 
temporarily closing an established connection to make 
the communication channel available and a reconnect 
function which is used for reopening the temporarily 
closed connection, 
wherein the supplier apparatus further comprises: 
authentication controlling means for controlling the 
authenticating means, the proving means, and the 
shared key obtaining means during the command 
phase to have the authenticating means authenticate 
the user apparatus, to have the proving means prove 
the authorization of the supplier communication 
apparatus and to have the shared key obtaining 
means obtain the shared key; 
data transfer controlling means for controlling the 
information transmitting means during the data 
transfer phase to have the information transmitting 
means perform information transmission; 
deciding means for exchanging information with the 
user apparatus and storing a common procedure 
before a disconnect is performed for an established 
connection, 

wherein the common procedure includes information 
as to whether to re-execute an authentication by the 
authenticating means, whether to re-execute proving 
by the proving means, whether to re -execute an 
obtaining-of the s_hared~key by the shared key obtain- 
ing means, jmd wjiejher to re -execute the informa- 
tion transmission by the information transmitting 
means, 

wherein the user apparatus includes two communica- 
tion states called a command phase and a data 
transfer phase, and further includes the same discon- 
nect function and reconnect function as the supplier 
apparatus, 

wherein the user apparatus further comprises: 

authentication controlling means for controlling the 
authenticating means, the proving means, and the 
shared key obtaining means during the command 
phase to have the authenticating means authenti- 
cate the supplier apparatus, to have the proving 
means prove the authorization of the user com- 
munication apparatus and to have the shared key 
obtaining means obtain the shared key; 

data transfer controlling means for controlling the 
information receiving means during the data trans- 
fer phase to have the information receiving means 
perform information reception: 

deciding means for exchanging information with the 
user apparatus and storing a common procedure 
before a disconnect is performed for an estab- 
lished connection, 

wherein the common procedure includes information 
as to whether to re -execute an authentication by 
the authenticating means, whether to re-execute 
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proving by the proving means, whether to 
re-execute an obtaining of the shared key by the 
shared key obtaining means, and whether to 
re-execute the information reception by the infor- 
mation transmitting means. 

12. A method of performing two-way authentication and 
distribution of a secret key in a communication system 
which is made up of a supplier apparatus that supplies 
information and a user apparatus that uses the information, 
the method comprising: 

a first step in which the supplier apparatus generates a first 
random number and transmits the first random number 
to the user apparatus; 

a second step in which the user apparatus receives the first 
random number, generates a second random number, 
combines the first random number and the second 
random number into a first cryptogram, decrypts the 
first cryptogram, and transmits a first plaintext obtained 
from the decryption to the supplier apparatus; 

a third step in which the supplier apparatus receives the 
first plaintext, encrypts the first plaintext, wherein an 
inverse conversion for the encryption exists and sub- 
jecting a plaintext to the encryption and the inversion 
conversion in any order restores the plaintext to origi- 
nal form, divides a second cryptogram obtained from 
the encryption into first data and second data, the first 
data corresponding to the first random number and the 
second data corresponding to the second random 
number, compares the first random number with the 
first data, generates a third random number as the secret 
key if the first data coincides with the first random 
number, combines the third random number and the 
second data, encrypts a second plaintext which is 
obtained from combination using a same encryption 
method as when encrypting the first plaintext, and 
transmits to the user apparatus a third cryptogram 
obtained by encrypting the second plaintext; and 

a fourth step in which the user apparatus receives the third 
cryptogram, decrypts the third cryptogram using the 
same decryption method as when decrypting the first 
cryptogram, divides a third plaintext obtained by 
decrypting the third cryptogram into third data and 
fourth data, the third data corresponding to the second 
data and the fourth data corresponding to the third 
random number, compares the third data with the 
second random number, and, if the third data coincides 
with the second random number, notifies the supplier 
apparatus of a coincidence of the third data and the 
second random number and holds the fourth data as the 
secret key. 

13. A digital communication system for transmitting titles 
such as movies and multi media works comprising: 

a supplier device for transmitting and receiving data over 
the digital communication system, 

a plurality of user devices for transmitting and receiving 
data over the digital communication system, each user 
device including a first encryption module for chal- 
lenge and response, said module having a first 
encrypter containing a first data conversion algorithm, 
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wherein an inverse conversion for the first data con- 
version algorithm exists and subjecting a plaintext to 
the first data conversion algorithm and the inverse 
conversion in any order restores the plaintext to an 
5 original form, said user device further comprising a 
third encrypter containing a third data conversion algo- 
rithm; and 

a transmission apparatus for transmitting data between the 
supplier and the user devices. 
10 14. The digital communication system of claim 13 
wherein the first encrypter containing the first data conver- 
sion algorithm is used by a first user device to authenticate 
the validity of a supplier device on the system, and wherein 
the first encrypter containing the first data conversion algo- 
15 rithm is also used by the first user device to prove its validity 
to the supplier device. 

15. The digital communication system of claim 13 
wherein the first encryption module includes a first authen- 
tication key of roughly 64 bits stored in a first authentication 

20 key storage unit, wherein said first authentication key is 
utilized by the first encrypter to encrypt challenge and 
response data. 

16. The digital communication system of claim 13 
wherein the third encrypter containing the third data con- 

25 version algorithm is used by the first user device to decrypt 
titles received from the supplier device through the trans- 
mission apparatus. 

17. The digital communication system of claim 13 
wherein the first encrypter comprises a non volatile IC chip 

30 on which is stored the first data conversion algorithm. 

18. The digital communication system of claim 13 
wherein the supplier device comprises a second encryption 
module for challenge and response, said second encryption 
module having a second encrypter containing a second data 

35 conversion algorithm that is substitutive in nature, the sup- 
plier device further comprising a fourth encrypter containing 
a fourth data conversion algorithm. 

19. The digital communication system of claim 18 
wherein the second encrypter containing the second data 

40 conversion algorithm is used by the supplier device to 
authenticate the validity of the first user device, and wherein 
the second encrypter containing the second data conversion 
algorithm is also used by the supplier device to prove its 
validity to the first user device. 

45 20. The digital communication system of claim 18 
wherein the second encryption module includes a second 
authentication key of roughly 64 bits stored in a second 
authentication key storage unit, wherein the second authen- 
tication key is utilized by the second encrypter to encrypt 

50 challenge and response data. 

21. The digital communication system of claim 18 
wherein the fourth encrypter containing the fourth data 
conversion algorithm is used by the supplier device to 
encrypt titles transmitted to user devices through the trans- 

55 mission apparatus. 

22. The digital communication system of claim 18 
wherein the second data conversion algorithm is stored in a 
non volatile IC chip. 

* * * * * 
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